Announcement

**DeathKitten** · Nov 04, 2009, 06:56 PM

Re: Linux kernel security hole allows root access

One of the articles I read says that *buntu had this set to something other than 0 already, and there were only a few other distro that had this still set at the unsafe value, I think Red Hat was mentioned by name on this account.

I just checked the setting on mine, and it was already a large number starting with 6, which confirms at least part of what I'd read.

**Ole Juul** · Nov 04, 2009, 07:01 PM

Re: Linux kernel security hole allows root access

You mean to say that this vulnerability only works if you don't have a firewall? Sheesh! If that's the case then the reports I've seen in the press are written by incompetents.

**dibl** · Nov 04, 2009, 07:07 PM

Re: Linux kernel security hole allows root access

With no prior intervention ...

dibl@karmic:~$ cat /proc/sys/vm/mmap_min_addr
65536

I don't care about wine -- I don't use it. I guess that makes me ..... HAPPY!

**Ole Juul** · Nov 04, 2009, 07:12 PM

Re: Linux kernel security hole allows root access

I just checked and my file says 65536 as well. I'm doubting the credibility of the original report.

**dibl** · Nov 04, 2009, 07:24 PM

Re: Linux kernel security hole allows root access

I just tried it on a netbook, running sidux kernel 2.6.31. It gave 4096.

**Qqmike** · Nov 04, 2009, 07:51 PM

Re: Linux kernel security hole allows root access

65536

2.6.24-25-generic

**Ole Juul** · Nov 04, 2009, 07:52 PM

Re: Linux kernel security hole allows root access

And a machine running LinuxMint-7 last updated Apr17 also says 65536. Does anybody have a 0?

Actually waitaminit, I just found one: Kubuntu 9.04 with 2.6.28-16-generic kernel (Oct-20). So it can happen.

**Telengard** · Nov 04, 2009, 08:45 PM

Re: Linux kernel security hole allows root access

I am not certain what falls into the category vm, but I use both Wine and VirtualBox. I tested three systems.

$ uname -a && cat /proc/sys/vm/mmap_min_addr
Linux Alia 2.6.24-25-generic #1 SMP Tue Oct 20 07:31:10 UTC 2009 i686 GNU/Linux
65536

$ uname -a && cat /proc/sys/vm/mmap_min_addr
Linux vKarmic 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux
65536

$ uname -a && cat /proc/sys/vm/mmap_min_addr
Linux owner-desktop 2.6.28-16-generic #55-Ubuntu SMP Tue Oct 20 19:48:32 UTC 2009 x86_64 GNU/Linux
65536

Looks like I'm safe

**Snowhog** · Nov 04, 2009, 09:34 PM

Re: Linux kernel security hole allows root access

On my Jaunty - 2.6.28-16-generic:

Code:

cat /proc/sys/vm/mmap_min_addr
65536

**kubicle** · Nov 05, 2009, 12:19 AM

Re: Linux kernel security hole allows root access

Originally posted by Ole Juul

You mean to say that this vulnerability only works if you don't have a firewall? Sheesh! If that's the case then the reports I've seen in the press are written by incompetents.

Haven't really digged into this, but AFAIK a null-point dereference kernel vulnerability can only be used to elevate privileges (user>root), so to exploit it one needs shell access to the system (ability to log into the system as a user)...so firewall is usually not essential in preventing these kinds of exploits.

**askrieger** · Nov 05, 2009, 12:44 AM

Re: Linux kernel security hole allows root access

@everybody who is getting 65536 as a value: I hate to rain on your parade, BUT:that number happens to be 2^16. i.e the first two bytes of the word are all 0 bits. This may be enough to allow the exploit. Without knowing how to read or write (as one of my former bosses used to say before he won the Nobel Prize), I just changed mine to 65535.

**Ole Juul** · Nov 05, 2009, 01:03 AM

Re: Linux kernel security hole allows root access

Originally posted by kubicle

Originally posted by Ole Juul

You mean to say that this vulnerability only works if you don't have a firewall? Sheesh! If that's the case then the reports I've seen in the press are written by incompetents.

Haven't really digged into this, but AFAIK a null-point dereference kernel vulnerability can only be used to elevate privileges (user>root), so to exploit it one needs shell access to the system (ability to log into the system as a user)...so firewall is usually not essential in preventing these kinds of exploits.

I certainly have little understanding of these things. What gets me is that vulnerabilities are sometimes reported that require some complex and very specific (even rare) conditions in order to function. In other words they are academic but reported as otherwise. This looks like it could be one of those.

askrieger: @everybody who is getting 65536 as a value: I hate to rain on your parade, BUT: that number happens to be 2^16. i.e the first two bytes of the word are all 0 bits. This may be enough to allow the exploit. Without knowing how to read or write (as one of my former bosses used to say before he won the Nobel Prize), I just changed mine to 65535.

Interesting. 65535 is also what is recommended in this report:
http://www.h-online.com/open/news/it...ss-850016.html

**kubicle** · Nov 05, 2009, 02:15 AM

Re: Linux kernel security hole allows root access

Originally posted by Ole Juul

What gets me is that vulnerabilities are sometimes reported that require some complex and very specific (even rare) conditions in order to function. In other words they are academic but reported as otherwise. This looks like it could be one of those.

I wouldn't call it purely academic, as it might cause issues in some multiuser environments...although I agree that it's not something most desktop users should be overly concerned about.

Media has a habit of "making headlines", of course. The basis of system security isn't that a system is infallible (no human-created system is), but that vulnerabilities are fixed in a timely fashion (in relation to how critical and wide a vulnerability is)

Incidentally, I'm already on lucid with 2.6.32 kernel, which should be unaffected.

**GreyGeek** · Nov 05, 2009, 09:29 AM

Re: Linux kernel security hole allows root access

Originally posted by kubicle

Originally posted by Ole Juul

You mean to say that this vulnerability only works if you don't have a firewall? Sheesh! If that's the case then the reports I've seen in the press are written by incompetents.

Haven't really digged into this, but AFAIK a null-point dereference kernel vulnerability can only be used to elevate privileges (user>root), so to exploit it one needs shell access to the system (ability to log into the system as a user)...so firewall is usually not essential in preventing these kinds of exploits.

If a bad guy is going to hack into your Kubuntu box it will, more than likely, be as the user, since remote access to root is not allowed and root has no password. After gaining access to the user account this exploit can be used to elevate priviledges. A good firewall will prevent a bad guy from hacking in.

Regardless, I suspect this hole will be patched before bad guys can exploit it to any useful extent. After all, it took them EIGHT MONTHS to capture only 700 poorly administered Linux boxes. That's a lot of work for such a small reward. 700 Linux zombies, as good as Linux is, cannot match the output of 1,300,000 Windows zombies.

Announcement

Linux kernel security hole allows root access

Linux kernel security hole allows root access

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment